vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Programming Articles (https://vborg.vbsupport.ru/forumdisplay.php?f=188)
-   -   Implementing CSRF Protection in modifications (https://vborg.vbsupport.ru/showthread.php?t=177013)

Skavenger 04-29-2008 11:03 PM

Quote:

Originally Posted by Boofo (Post 1499947)
The bad part is that not all forms have value="$session[sessionhash]" in them in some of the hacks out there. I basically look for <form and then add the line anywhere underneath that where there is a <input type="hidden" line.

what about this? I have a mod that doesn't have what is in bold...

I mean, there is no <input type="hidden" line neither

Can I just add the security token below the opening form tag "<form>"?

Dismounted 04-30-2008 09:47 AM

Yes, you just add the line below the form tag.

ARB4HOSTING.COM 05-01-2008 02:48 AM

Thank you

dealxa 05-01-2008 11:03 AM

I didn't use color in posts, after upgrade :confused:
what is problem?

rinkrat 05-01-2008 02:15 PM

I find it hard to believe that, in the final release candidate, Jelsoft would throw a monkey wrench like this into the mix and create a nightmare for all of their current customers who aren't programmers.

Isn;t there any kind of search and replace mod that one of you can cook up to repair the damage done by this security token B.S.? It looks like the terrorists have finally won!

Boosted Panda 05-01-2008 03:51 PM

Quote:

Originally Posted by rinkrat (Post 1504585)
I find it hard to believe that, in the final release candidate, Jelsoft would throw a monkey wrench like this into the mix and create a nightmare for all of their current customers who aren't programmers.

Isn;t there any kind of search and replace mod that one of you can cook up to repair the damage done by this security token B.S.? It looks like the terrorists have finally won!

I too am frustrated at this because I was thinking going gold meant ready to go. Now I have end users who are leaving my forums because of this. I spent 2 hours searching and replacing and now find out that anything with form needs it too :( Is there a hack or something out there that will do this automatically this is quite a drag.

Boofo 05-01-2008 04:10 PM

Just do a templare search for <form

Add the code to any form that uses POST. Simple.

The upgrade takes care of all that except for any add-on hacks.

spankaveli 05-04-2008 01:54 PM

Quote:

Originally Posted by Boofo (Post 1499947)
The bad part is that not all forms have value="$session[sessionhash]" in them in some of the hacks out there. I basically look for <form and then add the line anywhere underneath that where there is a <input type="hidden" line.

thank you for this advise!!!! this fixed my itrader issue. two or 3 of the itrader templates did not have "sessionhash."

Boofo 05-04-2008 02:04 PM

Default vb templates don't always have the sessionhash in the forms. Glad I could help. ;)

Mancunian_Red 05-04-2008 04:20 PM

Quote:

Originally Posted by Wayne Luke (Post 1498706)
Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

thank you wayne for putting this in english i just followed your instructions and then the problem was solved


All times are GMT. The time now is 11:19 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01773 seconds
  • Memory Usage 1,739KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete